Data::Transpose::PasswordPolicy - Perl extension to enforce password policy


  use Data::Transpose::PasswordPolicy;

  my %credentials = (username => "marco",
                    password => "My.very.very.5strong.pzwd"

  my $pv = Data::Transpose::PasswordPolicy->new(\%credentials)
  if (my $password = $pv->is_valid) {
    print "$password is OK";
  else {
    die $pv->error


This module enforces the password policy, doing a number of checking. The author reccomends to use passphrases instead of password, using some special character (like punctuation) as separator, with 4-5 words in mixed case and with numbers as a good measure.

You can add the policy to the constructor, where minlength is the minimum password length, maxlength is the maximum password and mindiffchars is the minimum number of different characters in the password. Read below for patternlength

By default all checkings are enabled. If you want to configure the policy, pass an hashref assigning to the disabled checking a true value. This will leave only the length checks in place, which you can tweak with the accessors. For example:

  my %validate = ( username => "marco",
                   password => "ciao",
                   minlength => 10,
                   maxlength => 50,
                   patternlength => 4,
                   mindiffchars => 5,
                   disabled => {
                                 digits => 1,
                                 mixed => 1,
  my $pv = Data::Transpose::PasswordPolicy->new(\%validate)
  $pv->is_valid ? "OK" : "not OK";

See below for the list of the available checkings.

Please note: the purpose of this module is not to try to crack the password provided, but to set a policy for the passwords, which should have some minimum standards, and could be used on web services to stop users to set trivial password (without keeping the server busy for seconds while we check it). Nothing more.



Create a new Data::Transpose::PasswordPolicy object using the credentials provided to the constructor.



Set and return the new password. If no argument is provided, returns the current. It will strip leading and trailing spaces.


Set and return the new username. If no argument is provided, returns the current. It will strip leading and trailing spaces.


It returns the length of the password;


Returns the minimum length required. If a numeric argument is provided, set that limit. Defaults to 255;


As above, but for the maximum. Defaults to 12;


As above, but set the minimum of different characters (to avoid things like 00000000000000000ciao00000000000.

Defaults to 6;


As above, but set the length of the common patterns we will search in the password, like "abcd", or "1234", or "asdf". By default it's 3, so a password which merely contains "abc" will be discarded.

This option can also be set in the constructor.

Internal algorithms

All the following methods operate on $obj->password and return the message of the error if something if not OK, while returning false if nothing suspicious was found.


Check if the password is in the range of permitted lengths. Return undef if the validation passes, otherwise the arrayref with the error code and the error string.


Check if the password contains the username, even if obfuscated.

Disable keyword: username


Check if the password contains, even obfuscated, common password like "password" et similia.

Disable keyword: common


Check if the password has enough different characters.

Disable keyword: varchars


Check if the password has mixed cases

Disable keyword: mixed


Check if the password has non-word characters

Disable keyword: specials


Check if the password has digits

Disable keyword: digits


Check if the password has letters

Disable keyword: letters


Check if the password contains usual patterns like 12345, abcd, or asdf (like in the qwerty keyboard).

Disable keyword: patterns

Main methods


Return the password if matches the policy or a false value if not.

For convenience, this method can accept the password to validate as argument, which will overwrite the one provided with the password method (if it was set).


With argument, set the error. Without, return the errors found in the password.

In list context, we pass the array with the error codes and the strings. In scalar context, we return the concatenated error strings.

Inherited from Data::Transpose::Validator::Base;


Return a list of the error codes found in the password. The error codes match the options. (e.g. mixed, patterns).

If you want the verbose string, you need the error method.


Clear the object from previous errors, in case you want to reuse it.

$obj->disable("mixed", "letters", "digits", [...])

Disable the checking(s) passed as list of strings.

$obj->enable("mixed", "letters", [...])

Same as above, but enable the checking


Return true if the checking is disable.


None by default.



Marco Pessotto, <>


Copyright (C) 2013-2016 by Marco Pessotto

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.16.2 or, at your option, any later version of Perl 5 you may have available.